Professional Documents
Culture Documents
Nuclear Safety
Nuclear Safety
Nuclear Safety
N o. 8 6
RELATED PUBLICATIONS
The IAEA provides for the application of the standards and, under the terms of Articles III
and VIII.C of its Statute, makes available and fosters the exchange of information relating
to peaceful nuclear activities and serves as an intermediary among its Member States for this
purpose.
Reports on safety in nuclear activities are issued as Safety Reports, which provide
practical examples and detailed methods that can be used in support of the safety standards.
Other safety related IAEA publications are issued as Emergency Preparedness and
Response publications, Radiological Assessment Reports, the International Nuclear Safety
Groups INSAG Reports, Technical Reports and TECDOCs. The IAEA also issues reports
on radiological accidents, training manuals and practical manuals, and other special safety
related publications.
Security related publications are issued in the IAEA Nuclear Security Series.
The IAEA Nuclear Energy Series comprises informational publications to encourage
and assist research on, and the development and practical application of, nuclear energy for
peaceful purposes. It includes reports and guides on the status of and advances in technology,
and on experience, good practices and practical examples in the areas of nuclear power, the
nuclear fuel cycle, radioactive waste management and decommissioning.
SAFETY ASPECTS OF
NUCLEAR POWER PLANTS
IN HUMAN INDUCED
EXTERNAL EVENTS:
GENERAL CONSIDERATIONS
The following States are Members of the International Atomic Energy Agency:
The Agencys Statute was approved on 23 October 1956 by the Conference on the Statute of the
IAEA held at United Nations Headquarters, New York; it entered into force on 29 July 1957.
The Headquarters of the Agency are situated in Vienna. Its principal objective is to accelerate and enlarge
the contribution of atomic energy to peace, health and prosperity throughout the world.
SAFETY REPORTS SERIES No. 86
SAFETY ASPECTS OF
NUCLEAR POWER PLANTS
IN HUMAN INDUCED
EXTERNAL EVENTS:
GENERAL CONSIDERATIONS
All IAEA scientific and technical publications are protected by the terms of
the Universal Copyright Convention as adopted in 1952 (Berne) and as revised
in 1972 (Paris). The copyright has since been extended by the World Intellectual
Property Organization (Geneva) to include electronic and virtual intellectual
property. Permission to use whole or parts of texts contained in IAEA publications
in printed or electronic form must be obtained and is usually subject to royalty
agreements. Proposals for non-commercial reproductions and translations are
welcomed and considered on a case-by-case basis. Enquiries should be addressed
to the IAEA Publishing Section at:
IAEA, 2017
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2. Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4. Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Key elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1. Phase 1: Event identification . . . . . . . . . . . . . . . . . . . . . 8
2.2.2. Phase 2: Hazard evaluation and load
characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.3. Phase 3: Design and evaluation approaches to
structures, systems and components . . . . . . . . . . . . . . . . 20
2.2.4. Phase 4: Plant performance assessment and
acceptance criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.5. Phase 5: Operator response . . . . . . . . . . . . . . . . . . . . . . . 25
2.3. Design and evaluation principles . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.1. Event agnostic effects: Loading conditions . . . . . . . . . . 25
2.3.2. Defence in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4. Input to nuclear power plant assessment . . . . . . . . . . . . . . . . . . 26
2.4.1. Plant performance criteria . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.2. Plant acceptance criteria . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.3. Operational status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.4. Consideration of multi-unit sites . . . . . . . . . . . . . . . . . . 28
2.4.5. Severe accident prevention and management . . . . . . . . . 28
2.5. Assessments of extreme plant conditions . . . . . . . . . . . . . . . . . . 30
2.6. Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . . 87
1. INTRODUCTION
1.1. BACKGROUND
1
of facilities subjected to design basis external events and beyond design basis
external events. In addition to this Safety Report, they include:
(a) Safety Aspects of Nuclear Power Plants in Human Induced External Events:
Assessment of Structures, Safety Reports Series No.87[2];
(b) Safety Aspects of Nuclear Power Plants in Human Induced External Events:
Margin Assessment, Safety Reports Series No.88[3].
This publication is the first in the series. It provides the general framework
and includes a roadmap for performing the design and the evaluation of the
protection against human induced external events. This Safety Report concentrates
on an overall view of the methodology and on the important considerations for
its application to existing and new nuclear power plants. Topics covered include
elements of the design and evaluation approach, developed in five phases:
The second report in the series addresses phases 2 and 3 of the general
framework. It provides detailed guidelines for the safety assessment of nuclear
power plant structures against mechanical impacts, explosions and fire hazards
caused by human induced external events. The report covers the characterization
of loading, the assessment of structural integrity using both simplified methods
and more elaborated methodologies, and the assessment of induced vibration.
Acceptance criteria are given in the report for different failure modes: overall
stability, overall bending and shear, local failure modes and induced vibrations.
In addition, since many of the human induced external events may result in a
fire, the process of analysing the fire consequences is also given. Approaches to
assessing the barrier fire performance and the fire performance of SSCs are also
given.
The third report in the series addresses phases 1 and 4 of the general
framework. The report describes the procedures for assessing the safety margins
of nuclear power plants against human induced external events. Both postulated
and accidental hazards are considered. The report focuses on plant and systems
performance evaluations. A tiered approach to margin assessment is provided.
The first tier consists of a deterministic procedure in which, for each scenario, the
2
existence of at least one undamaged success path1 to comply with the fundamental
safety function is investigated. This procedure can be extended to calculate
probability measures such as the conditional core damage probability and the
conditional probability of loss of spent fuel pool cooling and spent fuel damage,
given the scenario. In the most elaborated stage, probabilistic safety assessment
(PSA) techniques are introduced, giving consideration to the probabilistic aspects
of hazards and of SSC capacity (fragility). Event tree and fault tree models are
used to compute usual PSA metrics, such as core damage frequency, large early
release frequency, and frequency of loss of spent fuel pool cooling and spent fuel
damage.
In summary, these three publications in the Safety Reports Series provide
methodologies that can be used in the evaluation of SSC capacity of nuclear
power plants subjected to extreme human induced external events and in the
assessment of the resulting safety margin of the facilities. The three publications
may be useful to nuclear facility owners, operators and regulators who need
an understanding of the safety issues in relation to human induced events.
They contain descriptions of internationally accepted methods applied by the
engineering community and some examples that may be useful in the evaluation
of the need for plant upgrading. Many references are also provided for more
detailed guidance, and the publications rely on many IAEA safety standards and
relevant technical publications.
The three Safety Reports have a common thread and are closely related
to each other. Together, they provide an approach to the assessment against
extreme human induced external events fully consistent with the methods used
for evaluation of nuclear facilities subjected to extreme natural events, such as
earthquakes and floods.
1.2. OBJECTIVE
1
A success path is a set of systems and associated components that can be used to
bring the plant to a stable hot or cold shutdown condition and to maintain this condition for a
specified period of time.
3
1.3. SCOPE
1.4. STRUCTURE
4
1.5. DEFINITIONS
Event
An external event that is more severe than a design basis external event
(DBEE). The term refers to external events either not included as a design basis
or included with a lower degree of severity.
Loading conditions
5
in Refs[2,3]. These multiple loading conditions are denoted as follows: DBEE,
DEE1 and DEE2. Increased magnitudes of loads are defined for DBEE, DEE1
and DEE2. Design extension conditions are events to be used in the design or
evaluation process that correspond to rare and severe external events. Design
processes of most existing facilities do not consider design extension conditions
(see Fig.1).
FIG.1. Classification of external events from the point of view of design requirements.
Performance criteria
A defined function that the plant and SSCs is required to perform when
subjected to the events (especially important for design extension events).
Examples of performance criteria for DBEE are the design criteria (e.g. for
structures essentially elastic behaviour). Examples DEE1 include system
redundancy, reduced functionality (but adequate for cold shutdown), and structure
integrity and leaktightness. Examples for DEE2 include reduced functionality
(but adequate for structure integrity) and cold shutdown. System redundancy is
not required.
Acceptance criteria
Criteria that the plant and SSCs are required to satisfy when subjected to the
events in order to show that the performance criteria are met. They may be design
criteria or less conservative criteria. They may be success paths (multiple success
paths or a single success path, depending on the loading condition). They may
6
be PSA metrics, such as conditional probability of failure of the nuclear power
plant or of specific SSCs. They may be based on best estimate procedures and
parameter values or on conservatively biased values. Tiered acceptance criteria
corresponding to the tiered loading conditions are adopted in Refs[2,3].
Plant margin
2.1. ASSUMPTIONS
(a) Loss of off-site power: This may occur owing to failure of on-site or off-site
physical elements, such as switchyard (on-site) or grid infrastructure (most
likely transmission towers, although substations and power generation plants
could also be vulnerable). The hypothesized event (e.g. an aircraft crash)
7
may easily affect on-site elements, such as the switchyard, and still possess
energy to impact buildings and structures.
(b) Plant state when event occurs: The external event can take place, for
example, at full power and normal state, during hot shutdown due to
advance warning of extreme human induced event occurring imminently,
and at shutdown condition during refuelling outage.
(c) Time before aid from outside the plant boundary can arrive.
8
TABLE 1. IDENTIFICATION OF SOURCES AND ASSOCIATED
INITIATING EVENTS (cont.)
Stationary sources
Mobile sources
9
TABLE 1. IDENTIFICATION OF SOURCES AND ASSOCIATED
INITIATING EVENTS (cont.)
Mobile sources
Explosion Explosion pressure wave (1) (2) (3) (4) (5) (6) (7)
(deflagration, detonation) Projectiles
Smoke, gas and dust
produced in the explosion
can drift towards the plant
Associated flames and fires
Fire (external) Sparks can ignite other fires (3) (4) (5) (6)
Smoke and combustion gas
of fire can drift towards the
plant
Heat (thermal flux)
10
TABLE2. EVOLUTION OF EVENTS AND IMPACT ON THE NUCLEAR
POWER PLANT (cont.)
Release of flammable, Clouds or liquids can (1) (2) (3) (4) (5) (6)
explosive, asphyxiant, drift towards the plant and
corrosive, toxic or burn or explode before or
radioactive substances after reaching it, outside or
inside the plant
Clouds or liquids can also
migrate into areas where
operators or safety related
equipment can be prevented
from functioning
Aircraft crashes or abnormal Projectiles (1) (2) (3) (4) (5) (6)
flights leading to crashes, Fire
collision of planes,
Explosion of fuel tanks
projectiles
Vehicle impacts
11
TABLE
3. IMPACT ON THE NUCLEAR POWER PLANT AND
CONSEQUENCES (cont.)
Impact on the plant Parameters Consequences of impact
(1) Pressure wave Local overpressure at Collapse of parts of structure or
the plant as a function disruption of systems and components
of time
(2) Projectile Mass Penetration, perforation or spalling
Velocity of structures or disruption of systems
and components
Shape
Collapse of parts of structure or
Size
disruption of systems and components
Type of material
Vibration induced false signals in
Structural features equipment
Impact angle
(3) Heat Maximum heat flux and Impaired habitability of control room
duration Disruption of systems or components
Ignition of combustibles
(4) Smoke and dust Composition Blockage of intake filters
Concentration and Impaired habitability of control room
quantity as a function and other important plant rooms and
of time affected areas
(5) Asphyxiant and Concentration and Threat to human life and health and
toxic substances quantity as a impaired habitability of safety related
function of time areas
Toxicity and asphyxiant Prevention of fulfilment of safety
limits functions by operators
(6) Corrosive and Concentration and Threat to human life and health and
radioactive quantity as a function impaired habitability of safety related
liquids, gases and of time areas
aerosols Corrosive, radioactive Corrosion and disruption of systems
limits or components
Provenance (sea, land) Prevention of fulfilment of safety
functions
(7) Ground shaking Response spectrum Mechanical damage
(8) Flooding Level of water with time Damage to structures, systems and
(or drought) Velocity of impacting components
water
(9) Subsidence Settlement, differential Collapse of structures or disruption of
displacement, settlement systems and components, including
rate buried pipes, cables
12
TABLE
3. IMPACT ON THE NUCLEAR POWER PLANT AND
CONSEQUENCES (cont.)
Impact on the plant Parameters Consequences of impact
(10) Electromagnetic Frequency band and False signals on electric equipment
interference energy
(11) Eddy currents Intensity and duration Corrosion of underground metal
into ground components
Grounding problems
(12) Damage to water Mass of the ship, impact Unavailability of cooling water
intake velocity and area, degree
of blockage
Source: Table III of NS-G-3.1[5].
(a) Safety of the public: To control the radiation exposure to people during
operational and accidental states, which is the overarching metric, with
13
intermediate metrics such as:
Core damage frequency;
Containment and containment systems failure;
Large early release frequency;
Release of radioactive material to the environment (dispersion in air,
water and ground);
Collateral effects (e.g. explosions and release of hazardous materials).
(b) Environmental consequences: Short, medium and long term effects on the
environment (air, water and ground).
(c) Safety of plant personnel: Short, medium and long term health and welfare
of plant personnel.
(d) Energy security of the Member State: The need for the power generated by
the nuclear power plant for Member State welfare.
(e) Economic considerations: Short, medium and long term effects on the
Member State economy.
This step is the decision process, in which the Member State screens and
categorizes the identified events from Step 1, and applies the consequence criteria
from Step 2 to define the events to be considered for the nuclear power plant of
interest. Categories include:
(a) Not to be considered: This includes those events that are not applicable
owing to reasons such as:
Physical conditions of the nuclear power plant of interest (e.g. an event
defined by a barge carrying large quantities of chlorine, which could be
accidently released, but with no navigable water near the nuclear power
plant);
Events that remain the responsibility of the Member State to ensure no
impact on the nuclear power plant (e.g. a state owned dam whose water
should be systematically released to prevent overtopping or dam failure
under extreme flooding conditions).
(b) DBEEs: Generally, these are events considered in the design.
(c) DEEs: These are rare and extreme events for which realistic, rather than
conservative assumptions and acceptance criteria, can be used. They are the
principal subject of the design and evaluation process and methodology of
Refs[2,3]. In existing plants, these events were generally not considered
in the design.
14
2.2.1.4. Phase 1 end products
The result of Phase 1 is the list of DBEEs and DEEs and their specification
as input to Phase 2. In Phase2, the list is refined by more detailed assessment of
the range of potential events for their applicability to the specific nuclear power
plant (or other nuclear installation) under design or assessment.
In Phase 2, a second level of screening based on-site and nuclear power
plant specific characteristics is implemented. Typical screening parameters to be
applied in this phase are probability, magnitude and distance of event specifics,
and on-site characteristics (e.g. design conditions and zones of influence). These
screening parameters are discussed in Section3.1. An additional consideration is
the type and number of co-located facilities on the site (see Section3.1.5.1).
The screened-in human induced external events are further evaluated and
loading functions are defined for the engineering evaluation. Additional screening
may be performed at this stage. The result is a final list of events to be considered
in the evaluation.
The load characterization is the link between the events and the definition
of the loading environment for the plant engineering organization to evaluate.
The resulting matrix of loading conditions produced by the events is to be applied
to the entire facility or to portions of it (see Table4).
Tables 57 expand on Scenario 1 in Table 4 (aircraft impact event) to
identify the following parameters for engineering evaluation: impact, heat/fire
and vibration. Reference[2] describes the engineering evaluation process in
detail. These matrices, with their backup data, define the engineering loading
environments.
15
16
TABLE 4. EXTREME ENVIRONMENT MATRIX
Hazardous
Scenario No. Scenario description Impact Blast Heat/fire Smothering Flooding Other
materials release
1
2 Chlorine release No No No No No No
(Table A6)
1 3, 4 2, 3
3 Blast pipeline No No No Debris
(Table A10) (Table A8) (Table A9)
Note: Numbers under the physical loading conditions columns are explained in the specific table in parentheses. This example is explored in greater
detail in the Annex.
TABLE 5. IMPACT PARAMETER DEFINITION MATRIX: SCENARIO 1 (AIRCRAFT IMPACT)
Impact
Impact Relative
Missile No. Description Mass (kg) Shape/configuration velocity Fire Explosion Vibration Other
angle hardness
(m/s)
Crash of a large
passenger aircraft
with a fully fuelled Fuselage 310 to 1, 2, 3
1 396 900 110 Flexible No No No
fuselage into a 40 m2/52 m2 horizontal (Table 7)
nuclear power
plant
Large passenger
Circular body 310 to
2 aircraft engines 4 300 110 Semi-rigid No No No No
2.7 m fan diameter horizontal
as projectiles
310 to
3 Debris 5 000 Rigid body 110 Rigid No No No No
horizontal
17
18
TABLE 6. HEAT/FIRE PARAMETER DEFINITION MATRIX: SCENARIO 1 (AIRCRAFT IMPACT)
Heat
Burn Burn
Combustible/ Quantity Spreading potential/ Building/ Quantity Ignition
Fire No. Description duration Type duration
ignition (L) surface temp. yard (L) likelihood
(h) (h)
(C)
Horizontal
crash of
a large
passenger
aircraft,
2 with a fully Yes 216 000 60 m 500 m 1 200 18 No No Kerosene No No
fuelled
fuselage, on
the yard of
a nuclear
power plant
TABLE 7. VIBRATION PARAMETER DEFINITION MATRIX: SCENARIO 1 (AIRCRAFT IMPACT)
LOADING FUNCTIONS
Emergency cooling
2 All No No Yes
water building
Diesel generator
3 All No Yes No
building
19
2.2.2.1. Phase 2 end products
(a) A potentially reduced set of screened-in human induced external events for
detailed evaluation;
(b) The engineering loading conditions to be considered for each of the
screened-in events to be evaluated.
(a) Hazard analysis leading to initiating events: The human induced external
events are the result of the hazards, which materialize in initiating events.
Each of the events may directly, or indirectly, generate event sequences
within the plant that have the potential to lead to core damage, containment
failure and radioactive material release. For DEEs, in the order of two to
ten initiating events may be identified for evaluation.
(b) Plant response: Two aspects of plant response are of interest plant system
behaviour and the behaviour of SSCs to the imposed loading conditions for
the events. Plant systems are typically modelled by a combination of event
trees and fault trees. The event (e.g. an aircraft crash) is the initiator of
the accident sequences. Plant accident sequences are initiated by a faulted
condition, such as a loss of coolant accident, and are modelled by event
trees. The ability of the plant systems to mitigate the consequences of the
20
faulted condition depends on the degradation or failure of those safety
systems. For example, assuming a coincidental loss of off-site power, an
aircraft crash causes a loss of coolant accident, and the tertiary effect of
the aircraft crash is a fire in the yard that damages the emergency power
system.
(c) Fragility analysis: The analysis is performed on fragility functions of SSCs
subjected to the DEE loadings of the event. Fragility is defined as the
probability of failure as a function of the size of the input load. Generally,
the fragility function is in terms of a single load parameter. This single
parameter could integrate a number of factors into the single parameter;
for example, for an aircraft crash, variability associated with impact
parameters, such as velocity, angle and location of impact, and physical
characteristics, such as the mass of the aircraft, could be integrated into
a resulting single parameter. Alternatively, a multivariate fragility analysis
could be performed, but this is not typically used in nuclear facility PSA
methodology. For simplified evaluations, fragility functions for SSCs may
be assumed to be binary (i.e. zero or one), leading to screening of SSCs
based on the location relative to the damage footprint, or zone of influence.
(d) Accident sequence and systems analysis: In the majority of PSA
applications for internal and external events, event trees are developed to
model accident sequences and fault trees are developed to model failures
of elements within the event trees, such as systems and structures. For the
current applications of PSA modelling of human induced events, existing
systems models for internal and external initiators provide a valuable
starting point. Modifications to these systems models are required to include
failures normally not considered credible for previously modelled hazards.
One example is underground cable chases, which may be assumed to be
robust against internal events and external events, such as earthquakes,
wind storms and floods. However, a jet fuel fire in the yard may seep into
the cable chase and cause failure. Hence, for specific events, previously
screened out components need to be revisited for potential inclusion.
(e) Plant damage state: Accident sequences lead to core damage or core melt
end points to which containment performance trees need to be added. The
analyst needs to recognize that containment performance may be directly,
or indirectly, affected by the loading conditions of the containment systems.
(f) Containment assessment: Containment performance criteria vary among
Member States. In some Member States, containment damage and failure
may be allowed if core damage failure does not occur. In addition, emergency
management equipment as specified in emergency management equipment
guidance (EMEG) and diverse and flexible coping strategies (FLEX) are
important elements in containment performance achievement[6,7].
21
(g) Off-site release: Off-site release may or may not be considered depending
on the risk acceptance criteria.
In using the plant specific PSA approach, each event is in theory modelled
by a set of event trees and fault trees similar in structure but with significant
differences in loading conditions and consequently plant failure probabilities.
To improve efficiencies of the analyses, the enveloping of loading conditions
needs to be considered to the extent possible, assuming this does not cause
excessively conservative results.
Many nuclear installations, in particular nuclear power plants, have
developed a plant specific PSA. These studies typically model internal events
and, in some cases, external events, such as earthquakes, fire, flooding and
high wind loads, including tornadoes. The plant specific PSA can be adapted to
perform an in depth safety analysis for extreme human induced external events.
The adaptation of the PSA for this analysis has some advantages, including:
The existing plant logic models are available, can be adapted and used, and
these models are the most accurate description of plant behaviour.
End metrics consistent with high level acceptance criteria can be modified
and used (e.g. core damage frequency and large release frequency can be
calculated).
Relative risk ranking of events can be made.
Risk ranking of overall effectiveness of existing and proposed SSCs is
possible.
Effects of human error and unavailability of systems can be included.
On the other hand, the PSA approach also has some disadvantages. Unless
a very simplified PSA approach is used, such as a simplified event tree method, it
is only cost effective to use the PSA approach if an internal events PSA has been
performed. It is preferable that both internal events and external events, such as
earthquakes, high winds, floods or fire, are modelled using PSA techniques. Then,
it is only necessary to modify the systems models to include those basic events
that were screened out for previous studies but are potentially relevant to the
human induced external events. In addition, fragility functions are required for a
large number of components, depending on the detail of the systems models and
the number of events. The total number of SSCs may require significant effort
even after grouping and screening components according to similar behaviour
and capacities. Furthermore, specialized expertise is required of the engineering
team that develops these fragility functions.
22
Another possibility is the SMA. In general, the SMA procedure comprises
the following elements:
(1) Input given by the extreme environment definition matrices (see Tables 47).
(2) Definition of overall nuclear facility performance criteria when subjected
to the extreme external events: For example, for a nuclear power plant
subjected to a DEE, the overall performance criteria may be defined as hot
or cold shutdown for 24hours after the event occurs. A further assumption
is that additional aid from outside the plant boundary can be effectively
mobilized within the 24 hour period. The performance criteria, including
the duration of plant shutdown before aid from outside the plant can be
mobilized, need to be established.
(3) Assumptions for the engineering evaluations: For example, loss of off-site
power conditions, operating state of facility (full or partial operation),
system criteria (redundancy) or SSC capacity criteria (code based or less
conservative).
(4) Definition of one or more ways to achieve safe shutdown or success paths.
(5) Identification of SSCs that comprise the safe shutdown paths and are
required to function during and after the event, given the aforementioned
assumptions: Definition of the specific functions these SSCs need to
perform during and after the event. The SSCs are itemized on the selected
equipment list (SEL).
(6) Evaluation of SSC capacity (items on the SEL) when subjected to the
extreme loading conditions specified: For the SMA, the measure of
capacity needs to be established when subjected to the specified loading
conditions (e.g. the high confidence of low probability of failure, median
centred capacity or other criteria). This step entails in-office and in-plant
evaluations. The in-plant evaluations are the plant walkdowns.
(7) Definition of a measure of plant capacity, such as the size of the event, for
which there is best estimate likelihood that the nuclear power plant will
achieve hot or cold shutdown (or other end metrics): The plant end state is
compared with the acceptance criteria.
23
(b) Results of the assessments for comparison with acceptance criteria;
(c) Sensitivity study results, if performed.
Acceptance criteria are in the form of end metrics that may be risk oriented,
for example core damage frequency (conditioned on a human induced external
event occurring), or may be in the form of capacity values, such as best estimate
or high confidence that the nuclear power plant reaches cold shutdown when
subjected to the event (e.g. the impact of a specified aircraft). Other important
items are spent fuel pool structural integrity and cooling.
The concept of a tiered approach to defining acceptance criteria is
introduced. For example, the consequences of less severe events on the nuclear
power plant of interest need to meet more stringent acceptance criteria than those
of the most severe events. For less severe events, requirements include redundant
success paths to arrive at safe shutdown and conservatism in defining both
the environmental loading functions and the performance criteria of SSCs
essentially elastic material behaviour for structures, components, equipment and
distribution systems. For the most severe events, verifying a single success path
to safe shutdown using realistic analyses may be acceptable. Table 8 presents
an example following this concept. Reference[2] follows this approach when
discussing structural capacity acceptance criteria.
The information in Table 8 highlights the importance of defining
the required civil structure functional behaviour when subjected to human
induced external events. Typically, civil structure functional requirements
range from leaktightness (e.g. containment) to providing structural support
of systems, equipment, components and distribution systems important to
safety (e.g. anchorage), to providing barriers to protect SSCs important to
safety (e.g. fire barriers and explosive protection walls). It is the civil structure
function that requires design and evaluation. The performance assessment results
are compared with acceptance criteria and on this basis the vulnerabilities are
identified.
24
TABLE8. PLANT ACCEPTANCE CRITERIA: EXAMPLE
No. of No. of
Capacity
Event level Civil structure Safety functions shutdown decay heat
assessment
paths removal paths
Note: DEE design extension external event; DBEE design basis external event.
Given the results of Phase 4, the operator may take additional steps to
address the identified vulnerabilities. These steps include prioritization and
implementation of the compensatory and/or upgrading measures (e.g. design
changes, operating procedure changes and administrative measures).
25
2.3.2. Defence in depth
The most general approach to the design and evaluation of nuclear power
plants subjected to human induced external events is the utilization of the concept
of defence in depth in the safety domain[1,8]. The layers of defence in depth may
be intrinsic or extrinsic, on-site or off-site. Furthermore, some layers of defence
in depth will be related to prevention of the event and others to mitigation when,
for example, core damage is considered the metric. Section4 presents the basic
concepts of defence in depth when applied to the assessment of safety against
human induced external events.
(a) High level requirements, such as core damage frequency or large early
release frequency, lower than threshold values. Methods of demonstration
to be specified.
(b) Plant safe state achieved: hot or cold shutdown and cooling over a required
time period (e.g. 24 or 72hours).
(c) High confidence of survival of specified SSCs, such as containment
structure and containment systems, spent fuel pool and spent fuel pool
support functions.
(a) Risk metrics are in terms of frequencies of occurrence per annum, and the
acceptance criteria may be a fraction of the required core damage frequency
or large early release frequency specified in the Member State.
26
(b) Plant safe states may be ensured through the identification of success paths
to arrive at hot or cold shutdown. One can envision the Member State
(or the operator) requiring:
(i) Conservatism in design or evaluation for less severe scenarios, such
as requiring redundancy in success paths and conservatism in the
evaluation processes, thereby ensuring with high confidence that hot
or cold shutdown is achieved and future restart of the nuclear power
plant is likely;
(ii) For extreme DEEs, liberalized acceptance criteria may be permitted
with one shutdown path ensured, SSC acceptance criteria liberalized,
best estimate or median centred evaluations permitted, among other
things.
Plant acceptance criteria are then defined by the Member State as[9]:
Full power and shutdown operational modes for maintenance and refuelling
are to be considered.
27
2.4.4. Consideration of multi-unit sites
28
assurance that N sets of FLEX equipment will remain deployable
following such an event [where N = number of units on a site].
Procedures and guidance to implement FLEX strategies. FLEX
Support Guidelines (FSG), to the extent possible, will provide
pre-planned FLEX strategies for accomplishing specific tasks in support
of Emergency Operating Procedures (EOP) and Abnormal Operating
Procedures (AOP) functions to improve the capability to cope with
beyond-design-basis external events.
Programmatic controls that assure the continued viability and
reliability of the FLEX strategies. These controls would establish
standards for quality, maintenance, testing of FLEX equipment,
configuration management and periodic training of personnel.
29
2.5. ASSESSMENTS OF EXTREME PLANT CONDITIONS
Station blackout;
Loss of primary ultimate heat sink;
Both occurring simultaneously.
2.6. UNCERTAINTY
.......
30
Epistemic uncertainty is the uncertainty attributable to incomplete
knowledge about a phenomenon that affects the ability to model it.
Epistemic uncertainty is reflected in ranges of values for parameters, a range
of viable models, the level of model detail, multiple expert interpretations,
and statistical confidence. In principle, epistemic uncertainty can be reduced
by the accumulation of additional information (also called modelling
uncertainty).
The composite variability is the total uncertainty including the aleatoric and
epistemic uncertainties. In many cases, aleatoric and epistemic uncertainty are
modelled by log-normal distributions with the log-normal standard deviation for
aleatoric uncertainty represented by R and the log-normal standard deviation for
epistemic uncertainty represented by U. For this case, the logarithmic standard
deviation of composite variability, c, is expressed as:
1
b c = ( b R2 + b U2 ) 2 (1)
These concepts are introduced here to emphasize the fact that representations
of the extreme human induced external events are subject to uncertainty in the
phenomena themselves and in the modelling of the phenomena. These concepts
are discussed in significant detail in Ref.[3].
31
3.1.1. Screening by design robustness
In the design and evaluation process, the inherent strengths in facilities due
to the design and construction conditions need to be recognized. SSCs designed
to the wide range of conditions imposed by the design may possess significant
margin for loading environments owing to defined human induced external
events. For extreme external events, the focus is on the SSCs required to safely
shut down the facility and to maintain it in a safe state through the time necessary
for additional resources from outside the plant to assist, if necessary.
SSCs are designed and evaluated for a large number of conditions:
32
function (e.g. pumps delivering fluid at a specified flow rate) under a wide
range of specified conditions (e.g. temperature, humidity, radiation, cooling
and vibration). Accident conditions mean components performing required
functions during a specified period and under specified environmental
conditions.
33
3.1.2. Screening by distance and magnitude and by probability
When the events cannot be screened out based on design robustness, two
other screening methods are available: screening by distance and magnitude and
screening by probability of occurrence.
Following this method, the minimum distance and the maximum magnitude
of the event are postulated with respect to the nuclear power plant site and the
potential damaging effects on plant safety are assessed. If the effects are found to
be insignificant, the event is screened out with respect to the assessed parameter.
An example where distance and magnitude screening may be effective is
the screening of vehicles containing explosives. The plant boundary and Member
State administrative procedures may be judged to be effective in keeping vehicles
at safe distances from the nuclear power plant SSCs.
Another example is for extreme human induced external events of flood
conditions (dam failure or overtopping) and consequent site inundation. It may
be possible to assess the maximum flood height and take into account the site
topography and possible drain paths to exclude effects on SSCs located at higher
elevations. This can be applied to both off-site water sources and on-site tank or
piping systems, reducing the possible impact of the flood on equipment important
to safety and the number of events to be analysed in detail.
34
these concepts, when applied, could also serve to identify some safety concerns
that are clearly vulnerabilities, without requiring extensive analysis. The concepts
are illustrated using an aircraft crash as an example.
In the case of an aircraft crash, the first issue that national authorities need
to address is which scenario is to be assessed. This requires definitions of, for
example, the types of aircraft, velocities, altitudes and payloads (including the
amount of fuel and the existence of passengers and cargo) which are to be used
in the analysis. For example, with regard to accidental aircraft crash scenarios,
Germany has required designs to deterministically protect against a Phantom or
similar, fast military jet crashing into the nuclear power plant site. In contrast,
France has ruled out accidental commercial and military crashes based on
probabilistic considerations, but it requires consideration of general aviation
crashes (Learjet23 and Cessna210).
These decisions require taking into account current and predicted air traffic
for the country or region. It may involve setting two levels: one for best estimate
survival and another (possibly more unreasonably burdensome) for best estimate
consequences. Having developed national criteria which may be defined down to
a list of site specific approach directions, a case can be made to perform a high
level worst case analysis.
Methodologies for the analysis of impact have been developed over a
number of years and have been updated, as needed, taking into account new
information such as the events of 11 September 2001, testing performed
subsequent to that event, and extensive analytical and numerical studies
performed. These analyses make use of the results of the extensive work that has
been performed on the few cases of aircraft impacts on engineered structures (i.e.
buildings). Reference[2] discusses these approaches in detail.
The Pentagon Building Performance Report[12] and World Trade Center
Building Performance Study[13] provide useful guidance that may be applied to
the nuclear facility case. In Ref.[12], the results of the detailed study assessing
the impact indicated that the damage was initially confined to a roughly triangular
shape, extending along the direction of the approach. The damage swath was
approximately 2324m at the point of entry into the building and extended to a
depth of approximately 70 m. The damage caused by the landing gear was shown
to extend beyond the initial zone of impact. Fire damage, due to burning of the
jet fuel and to secondary fires caused by the ignition of on-site combustibles,
extended into the areas unaffected by the impact, until contained by the building
fire suppression systems.
Hence, the zone of influence concept can be applied for the purpose of
preliminary screening. Aircraft crashes and explosions are two events where the
zone of influence is a valuable tool. The concept is applied to aircraft crashes by
imposing the damage and debris triangles on a scaled representation of a nuclear
35
plant, aligned along each or all determined approach paths. An approximation of
the areas of damage likely to occur to the relevant building can be obtained. The
footprint of the fire and smoke damage can be obtained by extending the zone of
influence until it is met by a fire barrier that has not been damaged by the initial
impact or subsequent debris.
The expectation is that this concept may provide reasonable initial
estimates of the damage caused by an aircraft crash on a nuclear facility based
on the evidence from past events. Clearly, this methodology could not be directly
applied to certain structures within a nuclear facility. Hardened and robust
structures, such as the containment building, would provide additional protection
when compared to the structure of the Pentagon building. These key structures,
whose failure could lead to significant, immediate consequences, would require
additional evaluation to ensure that their integrity can be maintained. However,
this concept could serve to focus the evaluation on those SSCs critical to the
plant achieving safe shutdown, simultaneously eliminating those SSCs that are
highly likely to fail in the crash.
Implementation of this concept could result in a visual representation
similar to that in Fig. 2 for an aircraft crash in one direction (several diverse
directions may be assessed as probable and each would need to be considered).
Impact zone
Turbine building
Debris zone
Direction of approach
Reactor
building
Auxiliary building
FIG. 2. Simplified schematic of a nuclear power plant indicating the three zones of influence
following an aircraft crash.
36
Assuming a loss of all SSCs contained within the zone of influence,
and using the defined success criteria (i.e. the redundancy and survivability
requirements), the effect of the aircraft crash on the plant can be estimated.
Systematic tools, such as PSAs, simplified event trees and SMAs, can be used
along with the zone of influence to determine whether successful shutdown of
the nuclear power plant remains feasible for those SSCs outside the zone of
influence.
The list of SSCs needed for safe shutdown may populate an SEL plus
structures. It should be noted, however, that the SEL will depend greatly on each
scenario. In the following example, the emergency cooling system is assumed
to be located primarily on the north side of the plant, whereas the shutdown
maintenance cooling system is located on the south side, with the reactor building
between them. Preliminary analysis has shown that either cooling system may be
relied on to maintain the basic cooling requirements for removal of decay heat.
The aircraft crash is to be considered a viable event (i.e. not screened out by
previous methods). The aircraft is considered to be approaching from the north
and the south directions for evaluation by the zone of influence approach. For the
case of approaching from the north, and using the zone of influence concept, the
emergency cooling system is assumed to be unavailable. Based on reasonable
assurances, however, the maintenance cooling will survive the impact, debris
and fire, thus ensuring that basic cooling functions are maintained. The opposite
would be true for the approach from the south.
Caution is to be taken, however, if this methodology is to be used to exclude
scenarios from further consideration. Owing to the significant uncertainty
associated with this method, there needs to be a high degree of certainty that
the essential safety functions are maintained. Furthermore, for open areas such
as a turbine building, the zoning might be an underestimate, while for a cellular
structure with many interior walls, such as a control building, the effects might be
more restricted. Detailed consideration therefore needs to be given to postulated
affected buildings and plants.
The zone of influence methodology may serve to identify clear
vulnerabilities. For example, some nuclear power plants may locate the primary
and secondary control rooms in close proximity to each other. When the damage
footprint is imposed on the plant layout, assuming that it is feasible for the aircraft
to approach from an alternative direction, there would be a good possibility that
both control rooms may be lost simultaneously, or that the access to the secondary
control room may be impeded owing to the severe fires expected.
37
3.1.4. Example of systematic approach to defining scope: Aircraft impact
Two buildings the reactor containment building and the spent fuel
storage building are to be evaluated for direct aircraft impact effects:
(a) Impact locations to be considered are defined, which are identified based
on the aircraft parameters (such as angle of impact and manoeuvrability
of aircraft), shielding by topography, nuclear power plant site buildings,
transmission lines and other considerations.
(b) Conservative assumptions about the angle of aircraft impact, for
example perpendicular to the centreline of the containment building and
perpendicular to the spent fuel storage building are made.
(c) Local response, global response and vibration loading conditions are
considered.
Damage footprints due to any consequences of the aircraft crash are developed,
including structure failure modes, fire and vibration effects. The end product
is aircraft impact locations and damage footprints. Studying the effects of an
aircraft crash requires evaluations of global structural response, local response
and vibration effects, as described in Ref. [2].
38
3.1.4.2. Heat removal capability
(a) The faces or partial faces of buildings could be screened out from further
consideration due to shielding by adjacent structures, intervening structures,
or other site features (see the rules in table3-1 of Ref.[14]).
(b) Faces of buildings that are partially screened out are subdivided into
portions for which aircraft impact is possible and not possible;
(c) The impact of multiple buildings during the event is considered, the result
being the identification of multiple buildings vulnerable to a single aircraft
crash;
(d) Candidates for aircraft impact assessment are the end products.
Damage footprints for each building, for each impact location of the
building, and for each mode of failure or excitation (global or local structure
response, fire and vibration effects) are developed for evaluation.
Screening rules were developed to aid in the evaluations:
39
3.1.5. Special topics
The type and number of co-located facilities on the site can have positive
and negative effects on prevention, detection, control of consequences (normal
and severe conditions) and emergency response.
(a) Positive effects: Multiple critical facilities located on a site (or in the
vicinity) permit the pooling of resources to prevent or mitigate the
consequences of a human induced external event. Various on-site and
off-site measures can be deployed cost effectively.
(b) Negative effects: If there are shared systems between nuclear power
plant units, or on the site in general, a human induced external event may
neutralize the system performance.
40
Report and Refs[2,3], that the consequences of current potential human induced
events are reduced to acceptable levels.
(a) Human induced event No.: An alphanumeric identifier, values ranging from
1 to N, where N is the total number of events.
(b) Human induced event description: A brief description of the event for
identification purposes. (Example: Large passenger aircraft crash into a
nuclear power plant site.)
(c) Physical loading conditions: Numerical identifiers on the type and specifics
of loading conditions caused by the event. The numerical identifiers
correlate directly with the other loading matrices: impact, explosion and
blast, heat and fire, hazardous material release and other environmental
consequences. The end result provides guidance to plant engineering
on engineering disciplines required in the evaluation. It also provides
background on the source of environmental load combinations required.
(d) Impact matrix: One or more impact loading conditions identified by
number and reference to the impact matrix described in Section 3.2.1.2.
(Example: DEE impact loading1 and 2.)
41
42
TABLE 9. EXAMPLE OF DESIGN EXTENSION EXTERNAL EVENT LOADING MATRIX TABLE
Crash of a large
passenger aircraft
with a fully
1 1, 2 None 1 None None None None
fuelled fuselage
into a nuclear
power plant
N
(e) Explosion/blast matrix: One or more explosion or blast DEE loadings
identified by number and reference to the explosion/blast matrix described
in Section 3.2.1.3. (Example: None, i.e. no explosion or blast loads
associated with Event1 or as ancillary to the aircraft crash.)
(f) Heat/fire matrix: One or more heat or fire loading conditions identified by
number and reference to the heat/fire matrix described in Section3.2.1.4.
(Example: Heat/fire environmental loading condition1.)
(g) Hazardous material release matrix: One or more hazardous material release
conditions identified by the number and reference to the hazardous material
release matrix described in Section 3.2.1.5. (Example: None, i.e. no
hazardous material release condition associated with Event1.)
(h) Smothering, flooding and other phenomena are identified with examples
for future consideration (see Section3.2.1.6 for flooding):
Smothering, choking or depriving SSCs of necessary air for operation is
suggested as a potential concern (e.g. a lack of air to emergency diesel
generators could prevent startup and operation). Smothering due to
firefighting techniques (i.e. foam) may need to be evaluated.
Flooding of the site due to internal or external sources may need to
be evaluated (e.g. the failure of an up stream dam, which leads to the
release of large quantities of water that floods the site).
(a) Missile type/No.: Missile load identifier. In general, values range from 1 to
M, the total number of missile impact scenarios. (Example: MissileNo.1 is
the fuselage from a large passenger aircraft, including fuel; MissileNo.2 is
the engines.)
(b) Description: Brief description of source of loading condition. (Example:
Missile No. 1 is a crash of a large passenger aircraft with a fully fuelled
fuselage; MissileNo.2 is the engines.)
(c) Mass: Mass of the missile. (Example: MissileNo.1 is 157000kg, including
fuel; MissileNo.2 is 4800kg per engine.)
43
44
TABLE 10. IMPACT PARAMETER DEFINITION MATRIX
Crash of a large
passenger aircraft
Defined by Defined by
with a fully
1 157 000 Flexible Member Member Flexible 1 No Yes No
fuelled fuselage
State State
into a nuclear
power plant
M
(d) Shape/configuration: General and specific description of missile.
Dimensions specified, if available at this stage. (Example: MissileNo.1 is
a flexible fuselage, dimensions to be determined; MissileNo.2 engines to
be assumed rigid and dimensions as shown.)
(e) Impact angle: Angle or range of potential impact angles taking into account
the physics and human capability necessary to achieve objective. (Example:
Impact angle in the range of 030 from the horizontal.)
(f) Impact velocity: Velocity of missile taking into account the physics and
human capability necessary to achieve objective. (Example: 180m/s.)
(g) Relative hardness: Important parameter in assessing effect of missile
on SSCs. Qualitative or quantitative measure. (Example: Missile No. 1
fuselage is considered flexible; MissileNo.2 is considered rigid.)
(h) Ancillary effects: These are effects that are consequential to the direct
impact. They may be specified in other places in the specification such
as fire in the example. They may be consequences to the impact, such
as spalling or scabbing of concrete, which may be an ancillary effect on
components in the vicinity of the impact.
(i) Fire: Missile impact causes a fire due to the missile impacting a combustible,
such as a diesel oil tank. (Example: MissileNo.1 refers to heat and fire, 1
within the fire matrix, which is a jet fuel fire associated with the aircraft
crash; MissileNo.2 has no related fire.)
(j) Explosion: Missile impact causes explosion due to impacting an explosive
storage facility in the surrounding area of the plant. (Example: No explosions
assumed.)
(k) Vibration: Missile impact causes overall vibration of the impacted building.
Vibration can affect sensitive equipment. (Example: MissileNo.1 impact is
considered able to produce significant vibration affecting all the building.)
(l) Other: Other hazards identified, such as intruders in coordination with
missile attack. (Example: No other hazards identified.)
45
TABLE11. EXPLOSION/BLAST PARAMETER DEFINITION MATRIX
(a) Explosion No.: Explosion and blast condition identifier. Values range
from 1 to the total number of blast conditions considered. (Example: No
explosion or blast conditions were assumed.)
(b) Description: Description of the explosion scenario.
(c) Explosion parameters: Table 11 presents example descriptors of the
characteristics of the explosion. For general descriptions, trinitrotoluene
(TNT) equivalent mass and reference distance (measured from a facility
reference point) is the most general information. Other descriptors can be
given if the multi-energy method is used[2].
(d) Pressure pulse: Table 11 presents example descriptors of the pressure
pulse created by the explosion. Specific information about the incident
and reflected waves would be developed for the nuclear power plant under
evaluation. Typically, side-on and reflected peak overpressures are used.
The details are a function of numerous site specific characteristics.
This matrix identifies the heat and fire characteristics to be used by plant
engineering for the evaluation of SSC capacity. An example is provided in
Table12.
The columns of the matrix are defined as follows:
(a) Fire No.: Heat and fire condition identifier. Values range from one to the
total number of fire conditions.
(b) Description: Brief description of the source of the fire. (Example: Jet fuel
fire from a large passenger aircraft.)
46
TABLE 12. HEAT/FIRE PARAMETER DEFINITION MATRIX
Burn
Combustible/ Quantity Heat potential/temp. Burn Building/ Quantity Ignition
Fire No. Description Other Type duration
ignition (kg) (C) duration (h) yard (kg) likelihood
(h)
47
(c) Fire source outside facility: These entries define the fire hazard on the basis
of its source being outside the facility. For an aircraft crash or other similar
event, the distribution of the combustibles within and outside the facility
boundary is important. Two obvious distributions are on plant yard and
penetration into buildings; another is outside the facility boundaries, which
could inhibit access by emergency responders and others. Examples of
important parameters include type and quantity of combustible, estimates
of heat potential and temperature, and duration of burn. (Example: Jet
fuel from a large passenger aircraft spilled and ignited. No penetration of
building. Quantity is 50000kg. Burn duration at high temperature, 1000C,
is 1hour maximum and 57hours of residual fire at 300C.)
(d) Fire source or combustibles inside facility: These entries define the fire
hazard on the basis of the source being inside the facility or ignited inside
as a consequence of an outside source. Examples of important parameters
include type and quantity of combustibles, location and estimated duration
of burn. (Example: None.)
(a) Case No.: Hazardous material release number. Values range from 1 to
the total number of hazardous material release conditions. (Example: No
hazardous material release was assumed.)
(b) Material description: Brief description of the hazardous material.
(c) Quantity: Quantity of the material released and over what time frame.
(d) Smothering effect (personnel): Physical effects on personnel (e.g. plant
operating staff) need to be itemized. Indicate whether personnel protective
gear is required and the time frame for implementation.
(e) Smothering effect (components): Smothering or choking of components
as a possible effect is to be identified. For example, if emergency diesel
generators could be adversely affected by the atmospheric dispersion of a
particular chemical, it needs to be identified here.
(f) Lethal or disabling effects (personnel): Potential effect on plant personnel.
(g) Duration: Time frame in which hazardous material is present. Occurrence
of dispersion.
(h) Penetration extent: Hazardous material migrates into buildings through
flow paths, including heating, ventilation and air-conditioning systems, or
remains in the plant yard.
48
TABLE 13. HAZARDOUS MATERIAL DEFINITION MATRIX
49
3.2.1.6. Flooding
50
TABLE 14. EXTREME LOADING MATRIX SUMMARY TABLE
Plant area Vital area Description Impact Blast Heat/fire Hazardous material release Smothering Flooding Other
Building 1
Building 2
Building 3
Zone 1
Zone 2
Zone 3
Zone 4
Yard 1
Yard 2
SEL item 1
SEL item 2
51
4. PLANT SPECIFIC EVALUATION
The basic approach to the overall plant specific evaluations is utilizing the
concept of defence in depth[1,8]. In a full scope safety evaluation against human
induced external events, all layers of defence in depth are assessed. The layers of
defence in depth may be intrinsic or extrinsic, on-site or off-site, and related to
safety, security or a combination. Some layers of defence in depth are related to
prevention (prevention of the human induced event from adversely impacting the
nuclear power plant) and others to mitigation when, for example, core damage
is considered the consequence of the human induced event.
Five levels of defence in depth are defined as follows [8]:
(a) At level 1, human induced external events are initiated outside the plant
boundary. Consequently, there is a shared responsibility between the
Member State organizations to prevent human induced events from
occurring.
(b) At levels 24, if human induced events are initiated, the majority of the
initial burden for level 24 activities is the responsibility of the operator.
However, there is an understanding of approach between Member State
organizations and the responsible plant personnel.
52
(c) At level 5, emergency response activities clearly involve the Member State,
not only the operator. Hence, the related activities are also interdependent.
Two modelling and evaluation approaches are tools in the plant specific
evaluation process: probabilistic safety assessment (PSA) and safety margin
assessment (SMA). These methods are discussed in detail in Ref.[3].
The SMA approach relies on defining success paths. A success path is a
set of systems and associated components that can be used to bring the plant
to a stable hot or cold shutdown condition and to maintain this condition for a
specified period of time. A complementary definition is that a success path is
defined by SSCs whose successful performance will put the nuclear power plant
in a safe state (i.e. hot or cold shutdown).
Once the front line and support systems are identified, the success paths
consisting of combinations of safety systems, equipment and structures will be
developed. These required SSCs will be listed on an SEL augmented by required
structures. All screening tools, including those identified in Section 3 will be
implemented.
In its entirety, the PSA approach models the process from initiating event
to end metrics of interest, including mitigation systems, containment SSCs
(level 2), and on-site and off-site consequences (level 3). This constitutes
defining the failure paths and their quantification in probabilistic terms. Similar
to the success paths, the potential failure paths comprise SSCs that define the
SEL for further evaluation. When SEL items cannot be screened out based
on conservative performance criteria, a detailed computation of capacities is
necessary (see Section4.5).
53
4.3. SELECTED EQUIPMENT LIST
SSCs that require evaluation for the SMA or the PSA are identified
depending on the methodology to be implemented. Along with identification of
the SSCs, their required performance needs to be identified.
For the SMA approach, multiple equipment lists could be defined as a
function of the event under evaluation. Different sets of lists will be required for
different human induced events based on the location and extent of effects of the
event. The important element here is to systematically assess the human induced
events and the accompanying equipment lists. It is expected that the number of
items on the equipment lists will be in the hundreds.
There are many events for which area dependent evaluations are performed
for design basis external events (DBEEs) and for design extension external events
(DEEs). Three examples are security events (design basis threats and beyond
design basis threats), internal and external fires, and internal and external floods.
In the case of physical protection systems, security evaluations are based on
identifying vital areas and protecting those vital areas. A vital area is an area within
the protected area containing equipment, systems, devices or nuclear material, the
damage of which could directly or indirectly lead to unacceptable radiological
consequences. Depending on the safety philosophy of the nuclear power plant
(and the Member State), the set of vital areas could include all designated safety
systems or a subset of safety systems and equipment. The number of vital areas
and their extent depend on the physical protection philosophy of the Member
State. In some Member States, all safety related items are to be protected. This
translates into a small number of vital areas, but with very large areal extent (e.g.
an entire building might be defined as one vital area). Alternatively, a minimum
set of equipment may be a subset. This latter philosophy would be parallel to the
SMA approach to human induced external events.
In the case of fire and flood, location dependent evaluations are also
implemented and can be used to assess the survivability of a minimum subset
of SSCs. Location dependency is especially true when one assumes items in
a compartment fail when fire or flood engulf the compartment. In that case,
survivability is 100% dependent on location.
It is important to note that existing models and results can be used in the
development of the elements of the evaluation methodology. These models could
be probabilistic or deterministic (i.e. event or fault tree or success path based).
54
4.5. PERFORMANCE OF STRUCTURES, SYSTEMS AND COMPONENTS
(a) To define the functions to be performed by the item of interest, in what time
frame and under what environmental conditions;
(b) To define the extreme loading environment to be imposed on the item of
interest (including amplitude and duration), for example direct heat/flame,
compartment temperature as a function of time, and mitigating factors that
are evaluated to be effective (e.g. the fire suppression system);
(c) To determine the support systems required for the item of interest to operate
as required (e.g. emergency power and room cooling);
(d) To determine the likelihood of the item of interest to fulfil the required
function by using engineering evaluations (e.g. test data, analyses and
computer simulations);
(e) To transmit this information to the systems modelling discipline[3].
Distribution systems are the life blood of the front line and supporting
systems. Distribution systems are best evaluated by a combination of analytical
tools and in-plant evaluations. The most significant vulnerabilities to piping,
cabling, instrumentation and control, and heating, ventilation and air-conditioning
systems are due to direct effects, such as explosions, mechanical impacts (aircraft
crashes), fire and flood. In addition, indirect failures, such as structure elements
failing, falling or otherwise damaging the distribution system, are important.
It is extremely important to identify the required functions to be performed
by the distribution system of interest when subjected to an event and the
subsequent hazard and effect. This is especially true for instrumentation and
control systems. Generally, instrumentation and control systems are more
vulnerable than other distribution systems, which are typically rugged when
55
subjected to extreme loading conditions. Consequently, required instrumentation
and control systems need to be carefully considered in all areas of the evaluation.
It is difficult to evaluate these potential failure modes only from drawings
without an in-plant evaluation. For existing nuclear power plants, in-plant
evaluations are to be performed. For new nuclear power plants, in-plant
evaluations can be performed at system turnover.
Safe shutdown refers specifically to the nuclear reactor system and includes
hot or cold shutdown, prevention of recriticality and decay heat removal.
56
Verification of the ability of the nuclear power plant SSCs to shut down
the plant and to maintain it in a hot or cold shutdown state is the objective of
the safety assessment. Verification methods and acceptance criteria may be tiered
depending on the severity of the human induced external event.
Three operating states need to be considered: full power, low power and
outage. The most vulnerable state of operation is not known apriori, consequently
all states require evaluation or, as a minimum, consideration.
In addition to the evaluation of the reactor containment building, all
structures containing equipment necessary to prevent damage to fuel in the
reactor or the spent fuel pool will be identified for screening or evaluation.
Front line and support systems needed for safe (cold) shutdown of the reactor or
continued cooling of the spent fuel pool are identified.
57
In the PSA language, one can envision a high level OR gate: (reactivity
control and core cooling are maintained) OR (containment integrity is
uncompromised due to direct effects of the human induced external event AND
front line and support systems needed to maintain containment integrity operate
successfully).
As in the evaluation of the safe shutdown and the containment, two levels
of evaluation are required for the spent fuel: direct damage to the spent fuel pool
due to the event and indirect damage, as described in the following.
Direct damage is a direct consequence of the scenario, for example aircraft
impact on the fuel storage building, wall failure or a projectile penetrates the
outer wall and ruptures the spent fuel pool wall, thereby releasing water and
leading to the uncovering of the spent fuel elements.
Indirect damage is an indirect consequence of the scenario, for example
the spent fuel pool stays intact but the spent fuel pool cooling relies on a series
of front line and support systems (some identical to those required for the reactor
cooling) and these systems fail. The cooling function cannot be achieved, the
water boils off, the spent fuel rods eventually become uncovered and radioactive
material is released.
The evaluation process remains the same as for ensuring reactivity control,
cooling of the core, and reactivity confinement. The engineering safety evaluation
methodologies of Refs[2,3] apply directly.
The ultimate heat sink (UHS) is a medium to which the residual heat from
the reactor is transferred. In some cases, the nuclear power plant has a primary
UHS, such as the sea or a river, and a secondary UHS, such as another water
source or the atmosphere. In the engineering safety evaluation, it is important to
recognize multiple UHSs and their characteristics (i.e. location, form, reliance on
front line and support systems). The redundancy offered by a secondary UHS is
important, since in many cases the primary UHS and its systems may not be well
protected from an extreme human induced external event. Emergency measures,
such as FLEX, may provide the means for an alternative UHS.
58
4.7. ASSESSMENT OF EXTERNAL PLANT CONDITIONS
Buffer zones in the air, land and water, for example maintaining hazardous
material boundaries outside the plant boundary and so preventing land or
water vehicles from entering areas where explosions or hazardous material
releases could affect the nuclear power plant;
Maintaining no-fly zones around the nuclear power plant;
Maintaining a buffer zone of no combustibles on the land around the plant
boundary.
(a) Risk oriented, for example core damage frequency, large early release
frequency, total effective dose equivalent to personnel and total effective
dose equivalent to the public.
(b) Capacity oriented, for example conservative containment capacity when
subjected to specified aircraft impact loads, best estimate capacity (only
slightly conservatively biased). Table 8, in Section2.2.4, presents an
example of these acceptance criteria for SSCs.
59
Acceptance criteria may expand on to the SSC level:
In summary, the general procedure for plant specific evaluation consists of:
(a) Event and load characterization: This is the input to the plant specific
evaluation, originating from Phases1 and 2 (see Section3).
(b) Systems analysis: Depending on the selected approach (SMA or PSA),
success paths or failure paths are identified for each event given as input
(see Section4.2).
(c) SEL: Using the results of the systems analysis and the area review, a list
of SSCs required to perform the selected safety functions under the plant
conditions generated by the considered events is compiled for capacity
assessment (see Section4.3).
60
(d) Area dependent event evaluation: Areas of influence corresponding to the
events are assessed in order to identify the portions of the plant at which
SSCs will likely not be available to perform their intended safety functions
(see Section4.4).
(e) Assessment of SSCs: Performance of selected SSCs for the loading
conditions given as input is assessed (see Section4.5). As a result of the
assessment, SSCs not able to perform their intended safety functions are
identified.
(f) Assessment of plant performance: Using the results of the systems analysis
and the assessment of SSCs carried out in the previous step, the overall
performance of the plant to keep the fundamental safety functions under the
external events is assessed (see Section4.6).
(g) Acceptability of plant performance: Plant performance is assessed against
the acceptance criteria in the Member State (see Section 4.8). This is
already Phase4 of the overall evaluation (see Section2.2).
61
The general design process is shown in Fig.3 and includes important
elements such as the following:
(a) Safety goals in terms of metrics such as core damage frequency, large
release frequency and dose limits to the public are applicable in numerous
Member States. Member States set the specific target values for these safety
goals through law. In general, they are applicable to accidental human
induced external events. For non-accidental human induced events, some
Member States have specific acceptance criteria.
(b) Three fundamental safety functions are defined as: (i) the control
of reactivity; (ii) the removal of the heat from the core; and (iii) the
containment of radioactive material. In some Member States, these three
safety functions are further broken down, in particular item(ii).
(c) Member States define and specify deterministic and probabilistic success
criteria. Both deterministic and probabilistic success criteria are utilized in
the implementation of the defence in depth principles as shown.
(d) The defence in depth concept belongs to the nuclear safety fundamentals.
The layers of defence in depth may be intrinsic or extrinsic, on-site or
off-site. Some layers of defence in depth are related to prevention and
others to mitigation.
The general aspects of siting and design make a very important contribution
to the protection of nuclear power plants against human induced external events.
For new nuclear power plants, generally two stages of design development exist:
standard or reference design (e.g. in the United States of America, Certified
Designs are licensed); and site specific issues once a site is selected.
DEEs may not be available for a new design. It is then necessary to perform
the analysis using a generic DEE (site and state independent). It is also possible to
use events that are beyond a design level in order to attain graded protection. This
will serve the purpose of designing the facility to some level of human induced
external event. After the site is selected and the DEEs are known, it is necessary
to complement the design with extrinsic measures so that all the human induced
events scenarios that can be generated are addressed.
62
SAFETY OBJECTIVES
General Nuclear Safety Objective
Radiation Protection Objective
Technical Safety Objective
SAFETY GOAL
F
IMPLEMENTATION OF
DEFENCE IN DEPTH
PROBABILISTIC Level 1 (Prevention) DETERMINISTIC
SUCCESS CRITERIA Level 2 (Control) SUCCESS CRITERIA
Level 3 (Accidents Cond.)
Level 4 (Severe Plant Cond.)
Level 5 (Off-Site Mitigat.)
DEVELOPMENT OF
SAFETY REQUIREMENTS
SAFETY
REQUIREMENTS
designed, built and put into operation. Transportation routes, pipelines and other
infrastructure are anticipated to change during the life of the nuclear power plant.
Relying strictly on administrative control to prevent such hazards from impacting
new nuclear power plants may be unreasonable. A philosophy of design and
evaluation of defining a set of human induced event agnostic scenarios and
treating those as generally enveloping anticipated future defined human induced
events is prudent.
One such enveloping case is aircraft crashes, which includes impact
loading conditions of global response, local response, and vibration effects
and fire effects. Hence, larger aircraft than the existing fleet could be specified
by the Member State for one DEE. These specific phenomena are treated in
63
Ref.[2]. In addition, there may be other human induced events that are defined
(or need to be defined) that encompass currently identified human induced events
or hypothesized future events. It is recognized that some Member States are
implementing this process or philosophy. Implementing this process will provide
decision makers information on the capacity of newly defined environmental
loading conditions in the decades to come while existing and new nuclear power
plants are in operation.
An additional consideration that falls into the category of human induced
event agnostic design is the evaluation of the nuclear power plant for extreme
external events without consideration for how the following states could arise:
Station blackout (i.e. the loss of on-site normal power, off-site power or
emergency power);
Loss of UHS (e.g. the loss of primary UHS);
Simultaneous station blackout and loss of UHS.
64
5.4. LAYOUT
Perhaps the most important issue for new nuclear power plant designs is
the implementation of shielding structures that shield the reactor containment
building (and in some cases other structures important to safety) from damage
due to extreme external events, such as an aircraft crash. The majority of
these shielding structures are designed to preclude phenomena associated with
aircraft crashes (i.e. overall and local structure failure), which then precludes the
possibility of a jet fuel fire being initiated inside the safety related structures.
Often, a gap exists between the shielding structure and the safety related structure
to provide additional defence in depth for impact, vibration and fire loading
conditions.
Although these shielding structures are designed specifically for aircraft
crashes, they are also effective against other loading conditions, such as large
explosions.
Throughout the world, DEEs of human induced origin, such as the impact
of a large commercial aircraft on a nuclear power plant, are being taken into
account in the design process. In the light of the Fukushima Daiichi accident,
human induced event agnostic design scenarios are also being evaluated for all
new designs. Thus, there is high confidence that many extreme human induced
external event scenarios are being taken into account in the design of new nuclear
power plants.
65
6. SAFETY EVALUATION OF EXISTING PLANTS
The methodologies for existing and for new nuclear power plants are
basically the same. The differences are that new plants have a focus on explicitly
considering some human induced events in the design process events that
may not have been recognized at the time of the design of existing plants. In
other words, DEEs are considered in the design process for new plants, whereas
beyond design external events were not taken into account in the design process
of most existing plants (see Fig.1, in Section1.5).
There are distinct differences between the evaluation of existing plants for
beyond design external events and the design of new plants when subjected to
DEEs. The obvious difference is that the physical existence of the existing plant
limits the physical modifications that can be implemented easily or at all. Hence,
management of human induced event scenarios for existing plants will rely on
the robustness of the existing designs, relatively small physical modifications
(if deemed necessary and cost effective), operational or procedural changes, and
emergency management (e.g. FLEX and EMEG). Detailed evaluation procedures
are contained in Refs[2,3].
66
Peer review is highly desirable. As discussed throughout this publication
and in Refs[2,3], assessment of the effects of human induced external events is
a multidisciplinary activity with highly specialized elements, perhaps requiring
experts in the field to perform the work. Consequently, peer review by other
experts in these areas is required. Records retention needs to be robust to enable
future retrieval when new human induced events may be postulated.
67
REFERENCES
69
Annex
A1. INTRODUCTION
In this annex, representative load cases are defined following the format of
Section3. The objective is to acquaint the analyst on the type of information to be
provided, recognizing that it may need to be expanded when the actual analysis is
performed. Three examples pertaining to extreme human induced external events
are presented: aircraft crash, hazardous chemical release and blast.
Section3 introduced the load definition matrices as examples of the types
of input and response expected to be produced by the engineering staff. These
extreme loading definition matrices can be thought of in three categories:
1
For consistency with other IAEA publications(see Ref.[A1]), the term environment
is used in this publication in reference to the set of concurrent loads associated with a single
event. Hence, reference is made to extreme environments such as aircraft crash environment
or pipeline blast environment.
71
72
TABLE A1. EXTREME ENVIRONMENT MATRIX
Hazardous
Scenario No. Scenario description Impact Blast Heat/fire Smothering Flooding Other
materials release
1
2 Chlorine release No No No No No No
(Table A6)
1 3, 4 2, 3
3 Blast pipeline No No No Debris
(Table A10) (Table A8) (Table A9)
Note: Numbers under the physical loading conditions columns are explained in the specific table in parentheses.
A2. PARAMETER DEFINITION AND LOADING CONDITIONS FOR
AIRCRAFT CRASH (SCENARIO 1)
73
74
TABLE A2. IMPACT PARAMETER DEFINITION MATRIX: SCENARIO 1
Crash of a large
passenger aircraft
Fuselage 310 to 1
1 with a fully fuelled 396 900 110 Flexible No No No
40 m2/52 m2 horizontal (Table A4)
fuselage into a
nuclear power plant
310 to
3 Debris 5 000 Rigid body 110 Rigid No No No No
horizontal
TABLE A3. HEAT/FIRE PARAMETER DEFINITION MATRIX: SCENARIO 1
Horizontal
crash of
a large
passenger
aircraft,
2 with a fully Yes 216 000 60 m 500 m 1 200 18 No No No Kerosene No No
fuelled
fuselage, on
the yard of
a nuclear
power plant
a
50% is considered to be consumed in a fire ball, 50% as pool fire.
75
76
TABLE A4. VIBRATION PARAMETER DEFINITION SCENARIO 1
LOADING FUNCTIONS
Engineering Hazardous
Plant area Impact Blast Heat/fire Smothering Flooding Other
load description materials release
1, 2, 3 1 1
Reactor building Aircraft crash No Yes Yes Vibration
(Table A2) (Table A3) (Table A3)
1, 2, 3 1 1
Emergency cooling water building Aircraft crash No Yes Yes Vibration
(Table A2) (Table A3) (Table A3)
1, 2, 3 1 1
Pump house Aircraft crash No No Yes Vibration
(Table A2) (Table A3) (Table A3)
1, 2, 3 1 1
Diesel generator building Aircraft crash No Yes Yes Vibration
(Table A2) (Table A3) (Table A3)
2 2
Cooling water pipelines Aircraft crash No No No No No
(Table A3) (Table A3)
77
78
TABLE A6. HAZARDOUS MATERIAL RELEASE DEFINITION MATRIX: SCENARIO 2
Engineering
Hazardous materials
Plant area environmental load Impact Blast Heat/fire Smothering Flooding Other
release
description
1
Reactor building Hazardous material
(Table A6)
Emergency cooling 1
Hazardous material
water building (Table A6)
1
Pump house Hazardous material
(Table A6)
Diesel generator 1
Hazardous material
building (Table A6)
1
Cooling water pipeline Hazardous material
(Table A6)
79
A4. PARAMETER DEFINITION AND LOADING CONDITIONS FOR
GAS PIPELINE EXPLOSION (SCENARIO 3)
80
TABLE A8. HEAT/FIRE PARAMETER DEFINITION MATRIX: SCENARIO 3
Burn
Combustible/ Heat Building/ Ignition Burn
Fire No. Description Quantity duration Other Quantity Type
ignition potential/temp. yard likelihood duration
(min)
80100% of
CH4 and other ejected gas 8001000C
3 Fire ball <5
hydrocarbons before break inside fire ball
isolation
Laminar
burning after Long due
25% of Transportation
suction into CH4 and other 8001000C to potential
4 ejected gas and ignition
building via hydrocarbons inside fire plume internal fire
volume likelihood low
ventilation loads
system
81
82
TABLE A9. HAZARDOUS MATERIAL RELEASE DEFINITION MATRIX: SCENARIO 3
Lethal or
Material Smothering effect Smothering effect Penetration
Case No. Quantity disabling effect Duration Other
description (personnel) (components) extent
(personnel)
Short term
ca. 50% of Via ventilation
depending
2 CO, CO2 stechiometric No No Yes system into main No
on weather
equilibrium control room
conditions
Burnable
CH4, air mixture ca. 80% of
3 No No No No No inside
(late ignition case) released
building
PRESSURE PULSE
Flammable Explosion Blast strength Reference Peak side on Blast wave Positive phase
Explosion No.
mask (kg) energy (MJ) (multi-energy method) distance (m) pressure (kPa) shape duration (ms)
3, 4 2, 3
Reactor building Gas pipeline
(Table A8) (Table A9)
3, 4 2, 3
Emergency cooling water building Gas pipeline
(Table A8) (Table A9)
3, 4 2, 3
Pump house Gas pipeline
(Table A8) (Table A9)
3, 4 2, 3
Diesel generator building Gas pipeline
(Table A8) (Table A9)
3, 4
Cooling water pipelines Gas pipeline
(Table A8)
83
ABBREVIATIONS
85
CONTRIBUTORS TO DRAFTING AND REVIEW
87
Varpasuo, P. Fortum Nuclear Services, Finland
Consultants Meetings
88
@ No. 24
ORDERING LOCALLY
In the following countries, IAEA priced publications may be purchased from the sources listed below or
from major local booksellers.
Orders for unpriced publications should be made directly to the IAEA. The contact details are given at
the end of this list.
BELGIUM
Jean de Lannoy
Avenue du Roi 202, 1190 Brussels, BELGIUM
Telephone: +32 2 5384 308 Fax: +32 2 5380 841
Email: jean.de.lannoy@euronet.be Web site: http://www.jean-de-lannoy.be
CANADA
Renouf Publishing Co. Ltd.
22-1010 Polytek Street, Ottawa, ON K1J 9J1, CANADA
Telephone: +1 613 745 2665 Fax: +1 643 745 7660
Email: order@renoufbooks.com Web site: http://www.renoufbooks.com
Bernan Associates
4501 Forbes Blvd., Suite 200, Lanham, MD 20706-4391, USA
Telephone: +1 800 865 3457 Fax: +1 800 865 3450
Email: orders@bernan.com Web site: http://www.bernan.com
CZECH REPUBLIC
Suweco CZ, s.r.o.
SESTUPN 153/11, 162 00 Prague 6, CZECH REPUBLIC
Telephone: +420 242 459 205 Fax: +420 284 821 646
Email: nakup@suweco.cz Web site: http://www.suweco.cz
FRANCE
Form-Edit
5 rue Janssen, PO Box 25, 75921 Paris CEDEX, FRANCE
Telephone: +33 1 42 01 49 49 Fax: +33 1 42 01 90 90
Email: fabien.boucard@formedit.fr Web site: http://www.formedit.fr
Lavoisier SAS
14 rue de Provigny, 94236 Cachan CEDEX, FRANCE
Telephone: +33 1 47 40 67 00 Fax: +33 1 47 40 67 02
Email: livres@lavoisier.fr Web site: http://www.lavoisier.fr
LAppel du livre
99 rue de Charonne, 75011 Paris, FRANCE
Telephone: +33 1 43 07 43 43 Fax: +33 1 43 07 50 80
Email: livres@appeldulivre.fr Web site: http://www.appeldulivre.fr
GERMANY
Goethe Buchhandlung Teubig GmbH
Schweitzer Fachinformationen
Willsttterstrasse 15, 40549 Dsseldorf, GERMANY
Telephone: +49 (0) 211 49 874 015 Fax: +49 (0) 211 49 874 28
Email: kundenbetreuung.goethe@schweitzer-online.de Web site: http://www.goethebuch.de
HUNGARY
Librotrade Ltd., Book Import
Pesti ut 237. 1173 Budapest, HUNGARY
Telephone: +36 1 254-0-269 Fax: +36 1 254-0-274
Email: books@librotrade.hu Web site: http://www.librotrade.hu
INDIA
Allied Publishers
1st Floor, Dubash House, 15, J.N. Heredi Marg, Ballard Estate, Mumbai 400001, INDIA
Telephone: +91 22 4212 6930/31/69 Fax: +91 22 2261 7928
Email: alliedpl@vsnl.com Web site: http://www.alliedpublishers.com
Bookwell
3/79 Nirankari, Delhi 110009, INDIA
Telephone: +91 11 2760 1283/4536
Email: bkwell@nde.vsnl.net.in Web site: http://www.bookwellindia.com
ITALY
Libreria Scientifica AEIOU
Via Vincenzo Maria Coronelli 6, 20146 Milan, ITALY
Telephone: +39 02 48 95 45 52 Fax: +39 02 48 95 45 48
Email: info@libreriaaeiou.eu Web site: http://www.libreriaaeiou.eu
JAPAN
Maruzen-Yushodo Co., Ltd.
10-10, Yotsuyasakamachi, Shinjuku-ku, Tokyo 160-0002, JAPAN
Telephone: +81 3 4335 9312 Fax: +81 3 4335 9364
Email: bookimport@maruzen.co.jp Web site: http://maruzen.co.jp
RUSSIAN FEDERATION
Scientific and Engineering Centre for Nuclear and Radiation Safety
107140, Moscow, Malaya Krasnoselskaya st. 2/8, bld. 5, RUSSIAN FEDERATION
Telephone: +7 499 264 00 03 Fax: +7 499 264 28 59
Email: secnrs@secnrs.ru Web site: http://www.secnrs.ru
Orders for both priced and unpriced publications may be addressed directly to:
IAEA Publishing Section, Marketing and Sales Unit
International Atomic Energy Agency
Vienna International Centre, PO Box 100, 1400 Vienna, Austria
15-48591
www.iaea.org/books
This publication provides a general roadmap
f o r p e r f or m in g th e des ig n an d e v al uati on of the
p r o t e c tion of n u clear power pla nts agai nst human
induced external events, consistent with IAEA
s a f e t y s tan dar ds . I t f ocu s es on an ov eral l v i e w of
t h e m eth odolog y an d on im por tant consi derati ons
f o r i t s application to exis tin g and ne w nucl ear
p o we r plan ts . T h e pu blication al so prov i des an
a p p ro ach to th e as s es s m en t ag a i nst extreme human
in d u c e d exter n al e ven ts wh ich i s ful l y consi stent
with the methods used for the evaluation of
n u c l e ar f acilities s u bjected t o extreme natural
e ve n t s, s u ch as ear th qu akes and fl oods.